Skip to content

Konstantinos Tsoukalas

Konstantinos is the founder and administrator of Wintips.org. Since 1995 he works and provides IT support as a computer and network expert to individuals and large companies. He is specialized in solving problems related to Windows or other Microsoft products (Windows Server, Office, Microsoft 365, etc.).

54 Comments

  1. Pang alexis
    May 16, 2016 @ 8:27 am

    My Com infect RSA4096, Roguekiller & shadow explorer won't work, i use spyhunter to kill than use mini tool power data recovery to get my photo back. for those infect RSA4096 with work.

    Reply

  2. Saskia
    March 24, 2016 @ 11:20 pm

    Hi, I wanted to say thank you also! I was able to remove it fairly quickly by myself, Malwarebytes is always my go to in these cases. But the file recovery was more difficult. Ontrack and programs like that got me nowhere (all files corrupted) and previous versions didn't work either. Then I found this and tried shadow explorer! That worked like a charm!

    Luckily for me, the infected computer (my mothers) was detected within hours because it started messing with a shared Dropbox folder, which promted messages on my computer. Now I just need to find a way to prevent programs like this from messing with my backups in Dropbox and Google Drive, now that this type of thing is starting up again. If anyone has any ideas, please let me know!

    Reply

  3. alex
    January 7, 2016 @ 4:23 pm

    Hello! I have encountered this virus and i managed to remove it by following your steps. I didn't loose any important files.
    I'm writing only to intend to thank you for doing such a great job in order to help us.

    Reply

  4. Gratiela
    October 29, 2015 @ 2:37 pm

    Hi, I am trying to recover my files with Shadow Explorer, but it shows me previous versions of my files from a week ago. My computer has been infected about 4 weeks ago. :(
    Is it any other way to recover my files?
    Warm regards

    Reply

    • lakonst
      November 5, 2015 @ 11:10 am

      @Gratiela: Unfortunately, (as i know so far) no.

      Reply

    • Tania Panayotova
      December 20, 2015 @ 2:37 pm

      Hello Mark, I am with Windows XP and I have the same problem like you. Could you restore your files?

      Reply

  5. Bob
    September 20, 2015 @ 9:07 am

    This is the most horrible experience one will endure, I don't wish this on my worst enemy, good luck all, keep the posts coming maybe someone might find a solution, we hope and we pray, I just got infected myself and I am looking for a solution, I am on win Xp as well and will re-post if I find anything useful. Thank you all for helping out.

    Reply

    • Cam
      October 7, 2015 @ 11:39 am

      Hi bob,
      There are many different variants out there currently. Ive had luck with recovering some machines by using a tool like Recuva. this does a deep scan and retrieves deleted files. Some of the variants perform a copy/rename of the file, encrypt the file and delete the original, so sometimes you can restore using above said programs.
      A good working backup is your safest bet.
      Unfortunately the master servers sit in the Tor network so it makes it very difficult to hack the bastards. :( doesn't stop me trying but.

      Reply

  6. Richard
    August 28, 2015 @ 8:36 am

    Dear All,

    A few days ago, my laptop was attacked by above virus and I am now trying to find a solution. Since the last post above is dated Apr 15, I am wondering if anybody has come across any other solution ? Did anyone try the procedure mentioned by Cal (i.e.
    take the hard drive out, put it in another machine as external drive and run a file recovery program) ? Many thanks in advance.

    Reply

  7. Menna
    August 28, 2015 @ 2:52 am

    what if I installed a new windows version and deleted all the encrypted files .. would this help??

    Reply

    • lakonst
      August 29, 2015 @ 9:01 am

      @Menna: If you format your drive during installation, you will clean the virus, but you will completely lose your data.

      Reply

  8. evelyn raynond
    April 23, 2015 @ 8:05 pm

    Just curious I helped a friend remove virus but he has winxp so restoration options you describe above don't apply. Can we restore his computer to factory settings or are they also encrypted?
    thanks in advance

    Reply

    • lakonst
      April 24, 2015 @ 7:39 am

      @evelyn raynond: The factory settings are not encrypted. Factory settings doesn't restore your personal (encrypted) files, only the OS as installed by manufacturer.

      Reply

  9. Vladimir
    April 8, 2015 @ 6:16 pm

    Hi i got same virus, and i dont have anything important on my computer, can I just install new Windows? Than virus is gone for sure, right? Please answer as soon as possible, because my internet operator block my connection because that stupid virus. Thank you in advance :)

    Reply

    • lakonst
      April 9, 2015 @ 7:30 am

      @vladimir: If you clear the virus you haven't to re-install Windows.

      Reply

  10. mark
    March 17, 2015 @ 3:14 pm

    i am running windows xp and this happened to my computer.
    i do not have a backup of my files.
    will the shadow work to restore my files running window xp?

    Reply

    • lakonst
      March 17, 2015 @ 3:34 pm

      @mark: Unfortunately not. It's designed to work on Windows Vista/7 and it seems to work on Windows Server 2003/2008/2008 R2 aswell.

      Reply

    • TANIA
      December 21, 2015 @ 12:36 pm

      Mark, I am with Windows XP and I have the same problem like you. Could you restore your files?

      Reply

  11. Suren
    March 14, 2015 @ 10:32 am

    Before doing this i re installed the win 7 OS…. after tat i tried this steps but i cant get the previous version of the folder… plz help me 

    Reply

    • lakonst
      March 14, 2015 @ 10:55 am

      @Suren: Unfortunately, you have deleted all previous versions during re-install.

      Reply

      • Suren
        March 14, 2015 @ 11:54 am

        i cant get my files back?

        Reply

        • lakonst
          March 14, 2015 @ 2:14 pm

          You cannot…

          Reply

  12. Hwang
    March 5, 2015 @ 4:06 am

    Hi i have a question. After the infection, if i send my "not attacked document" in my computer to external hard disk, are there any possibility that the external hard disk is also infected?
    (Sorry for my poor english)

    Reply

    • lakonst
      March 5, 2015 @ 2:09 pm

      @Hwang: If you have already disinfect your computer then there is no problem.

      Reply

  13. mike
    February 24, 2015 @ 8:14 am

    just did it .had the drive as external and use shadow restored everything
    thank you

    Reply

  14. Robby William
    February 3, 2015 @ 10:59 am

    I've cleaned it all. But i don't have any "restore previous version" sellection. Also from shadow explorer, it's just a blank page. What's wrong? Is it because i don't have a restore point? Or my recovery option deactivated? Any other way to restore my files?

    Reply

    • lakonst
      February 3, 2015 @ 11:48 am

      For some reason System Restore is disabled on your computer. Unfortunately -as I know- there is no other way to restore your files, but some people (online) reported that by using a file recovery program (e.g. Ontrack EasyRecovery, R-Studio or Easeus Data Recovey) managed to regain their files.

      Reply

  15. girish
    January 30, 2015 @ 2:16 pm

    since i am facing the same problem of the cryptowall virus i trued all the methods and finally i formatted and installed the os it is possible to decrypt or recover my word and xl files if so pls suggest me how to do it

    Reply

  16. Barbara
    January 28, 2015 @ 3:51 pm

    Hi, thanks for the article. I have a question – I have all my photographs on an external hard drive and they have all been "attacked" by this scourge. Is there any way that I would be able to recover them? all are .jpeg files.

    Reply

    • lakonst
      January 29, 2015 @ 7:26 pm

      @Barbara: Unfortunately, there is not!

      Reply

  17. Cal Hart
    December 30, 2014 @ 9:44 pm

    Nice article, I found the following file recovery solution on another website and want to know if you have heard of it and if it works. Thanks in advance! Cal

    ——————————————————————————————————–
    What if you have no shadow copies and no backup of your files ? There is still a way.
    As I said, Cryptowall doesn’t encrypt your original files. It will do a copy of it, encrypt it, and delete the original file.

    As you probably know, a deleted file can be recover if nothing as been written over it on your disk. Good think you quickly power off the machine soon after the infection !

    Now all you have to do is take your hard drive out, put it in another machine as external drive, or second drive if you don’t have a sata dock, an run a file recovery program.

    I use Ontrack EasyRecovery or R-Studio, or even DataRescue for Mac.
    The pro version of Ontrack EasyRecovery might also be able to recover files from a RAID array if one of your network share as been encrypted and you don’t have backups.

    All these programs will be able to recover the original files deleted by Cryptowall.

    Just make sure when you run those to NOT do it directly on the original machine as by writing on your infected disk, the program could Overwrite your deleted files.

    You should be able to recover 99% of your files using this method.

    Reply

    • suhas
      January 31, 2015 @ 6:34 pm

      THANK YOU CAL i have data in my other drive and formatted c drive now can i copy the data to pendrive or external hd and try to recover in my computer itself pls help me Bro.

      Reply

  18. Riekie
    December 19, 2014 @ 4:00 pm

    I can not open shadow explorer after downloading it. I get an error message. I have win 8 and my files is on dropbox. How can I recover them from dropbox

    Reply

    • lakonst
      December 19, 2014 @ 6:57 pm

      You cannot recover files from dropbox using Shadow Explorer. Look here on how to restore previous versions from Dropbox: https://www.dropbox.com/help/11

      Reply

  19. kor
    December 7, 2014 @ 1:28 pm

    after exporting my files (with shadow explorer) to another disk, is it really safe to open them on another computer? I mean, there is no risk of exporting the infection?

    Reply

    • lakonst
      December 8, 2014 @ 10:23 am

      If you already clean your computer & scan files with AV program, there is no risk!

      Reply

  20. Roy
    December 3, 2014 @ 11:27 am

    Using Shadow Explorer would it be safe to export my desktop folder? All docs and most of the photos I want to recover are on the desktop.. help please.

    Reply

    • lakonst
      December 3, 2014 @ 12:50 pm

      Yes it is safe. But recover (extract) them to another disk.

      Reply

  21. Robert Rogers
    December 2, 2014 @ 11:11 pm

    I think I picked up the cryptowall thing about a month ago, I first noticed I could not open files then noticed the decrypt_instruction.txt on the desktop. Not knowing what I know now, I just started deleating everythig that said anything adout decrypt…I never was directed to the BITCOIN webpage deal. I have since run Malwarebvtes and Spyhunter, now I want to try to recover some of my files with this Shadow Explorer … any further advice?? Thanks!!

    Reply

    • lakonst
      December 3, 2014 @ 9:55 am

      @ Robert. Good luck. All I know about cryptowall are already mentioned here.

      Reply

  22. rajendra
    November 14, 2014 @ 5:59 am

    i have windows xp please help

    Reply

    • lakonst
      November 14, 2014 @ 6:02 pm

      Unfortunately there is not a working solution (yet) for Windows XP.

      Reply

  23. HotRod
    November 12, 2014 @ 2:12 am

    What if I don't care about the files that are encrypted? Can I simply delete them all? Or is the cryptowall still in there and will affect future files that I may put onto the computer?

    Reply

    • lakonst
      November 12, 2014 @ 10:15 am

      Yes you can delete your files. But first you have to disinfect your computer.

      Reply

  24. Jeff
    November 11, 2014 @ 12:50 am

    Is there a way to restore quickbooks with shadow explorer.. or any other known site/download for that matter. I would hate to have a years worth of things to search for and find since I did not complete the backup.. eeeeek!!!

    Reply

  25. PondViewet
    November 3, 2014 @ 7:55 am

    When restoring files from a clean backup, is it safe to overwrite the encrypted versions?

    Reply

    • lakonst
      November 3, 2014 @ 11:43 am

      Yes, it's safe. (but first disinfect you computer).

      Reply

  26. Amad
    September 30, 2014 @ 7:21 am

    I use Windows XP. I have successfully removed the viruses, but how can I restore my files?

    Reply

    • lakonst
      September 30, 2014 @ 11:03 am

      Only from a clean backup.

      Reply

  27. SMWilliams
    September 25, 2014 @ 12:37 am

    Is there a known signature that you can search for within your environment to determine if the virus came through email, or is attached to a file that might be on a fileshare?

    Reply

    • lakonst
      September 25, 2014 @ 10:55 am

      As i know, there isn't a known signature.

      Reply

  28. SCook
    September 20, 2014 @ 6:56 pm

    Using the guidance from this site, I was able to successfully remove the cryptowall and used ShadowExplorer to restore my files. It was a bit tedious but well worth the time to restore all. Thank you so much for the guidance.

    Reply

  29. Helpdesk
    September 11, 2014 @ 8:44 pm

    Hi:

    Nice article, I read that there is a way to decrypt your files as of the END of JUNE 2014. Can you help me understand how we decrypt our files?

    Thank you,
    Helpdesk

    Reply

    • lakonst
      September 12, 2014 @ 7:50 am

      I'm sorry, misunderstanding… 'Unfortunately, a FREE decryption tool or method to decrypt Cryptowall encrypted files DOES NOT EXIST (until the day this article was written – at the end of June 2014).'

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *